Identify User / Player, backend API calls


We’re devloping an mobile game on Android an iOS. Our problem is the communication between devices and backend systems. To secure the requests to the API’s we want to be sure, its the user on phone (maybe someone has a better / secured way?). We didnt found any other / better solution to verify the API calls from other, disallowed devices (hacking).

How does this other games? I think they all communicate with their own API’s and not only with Google Play Services or GameCenter from iOS.

Is there a way to identify a user thrue Google Play Account? Identify thrue Device ID wouldn’t work, because if the holder of phone changes the phone, there is no way to identify again.

How you do this for API calls? To store the access information directly in the code (static) isn’t very secure. Of corse we have token authentification but even this can be easely find out when the data stores in the game.

Summary: I’m looking for a way to secure communication between players and backend API’s (REST). A login for the user isn’t a solution because its very user-unfriendly and all other games doesnt provide this.

Thanks for your help!

I’m from GameSparks
Have you thought about using a backend service for your game.
GameSparks has social integration letting users sign in by google+ , facebook ,twitter and more.
We have a unreal plugin and also provide online leaderboards , database’s and much more
If you are interested please check out the website or email us at
All the best with your game